b'Office of Audits and Evaluations\nReport No. AUD-14-009\n\n\nThe FDIC\xe2\x80\x99s Response to Bank Secrecy Act\nand Anti-Money Laundering Concerns\nIdentified at FDIC-Supervised Institutions\n\n\n\n\n                                   August 2014\n\x0c                                   Executive Summary\n                                   The FDIC\xe2\x80\x99s Response to Bank Secrecy Act and\n                                   Anti-Money Laundering Concerns Identified at\n                                   FDIC-Supervised Institutions\n                                                                                 Report No. AUD-14-009\n                                                                                            August 2014\n\nWhy We Did The Audit\nFDIC-supervised financial institutions are responsible for developing and administering a program to\nassure and monitor compliance with the Bank Secrecy Act (BSA) and related regulations (referred to\nherein as a BSA Compliance Program). The FDIC is responsible for regularly reviewing BSA\nCompliance Programs, communicating identified deficiencies and apparent violations to the institution\xe2\x80\x99s\nmanagement and Board of Directors (and other regulatory authorities, as appropriate), and taking\nsupervisory action to address the associated risks.\n\nThe objective of this performance audit was to determine how the FDIC has responded to BSA and anti-\nmoney laundering (AML) concerns identified in reports of examination. To address the objective, we\ndetermined the extent and types of supervisory actions that the FDIC has taken to address BSA/AML\nconcerns. We also assessed the extent to which supervisory actions, including referrals of apparent\nviolations to other federal agencies, comply with applicable statutes; interagency policy and guidance;\nand FDIC policies, procedures, and guidelines. Further, we evaluated the consistency of the Division of\nRisk Management Supervision\xe2\x80\x99s (RMS) Regional Offices in applying BSA/AML-related policies,\nprocedures, and guidelines.\n\nBackground\nWithin the FDIC, RMS has primary responsibility for examining financial institutions for compliance\nwith the BSA and related regulations. Because RMS considers BSA compliance to be a matter of safety\nand soundness, each on-site risk management examination includes an assessment of the institution\xe2\x80\x99s\nBSA Compliance Program. Any deficiencies in BSA Compliance Programs or apparent violations of\nBSA-related regulations identified by examiners are documented in reports of examination and visitation\nreports that are provided to the institution\xe2\x80\x99s management and Board of Directors. The FDIC\xe2\x80\x99s primary\nsystem of record for recording information about BSA examinations and related supervisory activities is\nthe Virtual Supervisory Information on the Net (ViSION).\n\nAudit Results\nThe FDIC responds to BSA/AML concerns identified in reports of examination through the\nimplementation of supervisory actions. Such actions can range from examiner recommendations that\naddress isolated BSA/AML deficiencies to formal enforcement actions that address systemic weaknesses\nin BSA Compliance Programs. Serious BSA concerns can also result in referrals to the Department of the\nTreasury\xe2\x80\x99s Financial Crimes Enforcement Network (FinCEN) for the issuance of Civil Money Penalties\n(CMP).\n\nDuring the 4-year period October 1, 2009, through September 30, 2013, the FDIC and/or applicable state\nregulator cited FDIC-supervised institutions for 3,294 apparent violations of BSA-related regulations,\nagreed to or issued 175 BSA-related informal and formal enforcement actions, and made 22 referrals to\nFinCEN for CMPs. In addition, the reports of examination and visitation reports that we reviewed\nidentified the specific BSA regulations that were violated, the nature and causes of the violations, the\nrecommended corrective actions, and the institutions\xe2\x80\x99 management responses. Further, follow-up\nexaminations and visitations were generally conducted in a timely manner.\n\n\n                                                    i\n\x0c                                      The FDIC\xe2\x80\x99s Response to Bank Secrecy Act and\n                                      Anti-Money Laundering Concerns Identified at\n  Executive Summary\n                                      FDIC-Supervised Institutions\n                                                                                       Report No. AUD-14-009\n                                                                                                  August 2014\n\nOur review of the FDIC\xe2\x80\x99s supervisory actions to address BSA/AML concerns at 51 non-statistically\nsampled financial institutions found that the actions were generally consistent with applicable statutory\nrequirements, interagency policy and guidance, and FDIC policies, procedures, and guidelines. However,\nin 4 of 15 cases involving BSA Compliance Program failures and/or repeat apparent violations of BSA\nprogram requirements, stronger or earlier supervisory action in the form of a formal enforcement action\nmay have been warranted. Based on the results of subsequent examinations, two of the four institutions\ntook action to improve their BSA Compliance Programs. Although FDIC management provided a\nrationale for the supervisory approach applied in these cases, promptly issuing formal enforcement\nactions would have established a supervisory tenor of expectations consistent with interagency policy.\nOur review of supervisory actions to address BSA/AML concerns also identified a potential control\nimprovement with respect to recording in ViSION the status and disposition of CMP referrals to FinCEN.\n\nThe FDIC has established a number of controls to promote consistency among RMS Regional Offices in\napplying BSA/AML-related policies, procedures, and guidelines. Such controls include, for example, bi-\nmonthly meetings between the Regional Offices and RMS headquarters\xe2\x80\x99 Anti-Money Laundering and\nRisk Analysis Branch to discuss BSA/AML problem institutions, the examination report review process,\nand periodic internal reviews by RMS\xe2\x80\x99 Internal Control and Review Section. In addition, RMS\xe2\x80\x99 Regional\nOffices generally appeared to apply BSA/AML-related policies, procedures, and guidelines in a consistent\nmanner for the institutions that we reviewed. However, Regional Office procedures for monitoring\ninstitutions with significant BSA/AML problems were not always current. In addition, we noted\ndifferences among these Regional Office procedures that warrant review by RMS management.\n\nReviewing and addressing the above issues, as appropriate, will provide the FDIC with greater assurance\nthat its supervisory responses to BSA/AML concerns are consistent and compliant with applicable\nstatutory requirements; interagency policy and guidance; and FDIC policies, procedures, and guidelines.\n\nWe identified certain other matters that we did not consider significant in the context of the audit results,\nand we communicated those separately to appropriate FDIC management officials.\n\nRecommendations and Corporation Comments\nOur report contains three recommendations addressed to the Director, RMS, that are intended to improve\nRMS\xe2\x80\x99 internal controls for addressing BSA/AML concerns identified during examinations of FDIC-\nsupervised institutions. The Director, RMS, provided a written response, dated July 31, 2014, to a draft\nof this report. In the response, the Director concurred with all three of the report\xe2\x80\x99s recommendations and\ndescribed planned corrective actions that address the recommendations.\n\n\n\n\n                                                      ii\n\x0c                                  Contents\n\n                                                                         Page\nBackground                                                                 2\n\n      Requirements for FDIC-Supervised Institutions                        3\n\n      The FDIC\xe2\x80\x99s BSA/AML Program                                           3\n\n      Key Policies, Procedures, and Guidelines                             4\n\nAudit Results                                                              5\n\nSupervisory Actions to Address BSA/AML Concerns                            6\n\nCompliance with Applicable Statutes; Interagency Policy and                7\nGuidance; and FDIC Policies, Procedures, and Guidelines\n\n      Use of Cease and Desist Orders to Address Significant BSA/AML        7\n      Concerns\n\n      Recording Information in ViSION About Referrals to FinCEN           10\n\nRegional Office Consistency in Applying BSA/AML-related Policies,        11\nProcedures, and Guidelines\n\n      Regional Office Procedures for Monitoring Institutions with         12\n      Significant BSA/AML Problems\n\nCorporation Comments and OIG Evaluation                                   13\n\nAppendices\n     1. Objective, Scope, and Methodology                                 14\n     2. Glossary of Terms                                                 18\n     3. Acronyms and Abbreviations                                        21\n     4. Corporation Comments                                              22\n     5. Summary of the Corporation\xe2\x80\x99s Corrective Actions                   24\n\nTables\n      1. Selected Statistics Pertaining to BSA Examinations and            4\n         Visitations\n      2. Selected Statistics Pertaining to BSA/AML Supervisory             6\n         Actions\n      3. Institutions with Informal and Formal Supervisory Actions and    16\n         Referrals\n      4. Institutions Without Informal and Formal Supervisory Actions     17\n         and Referrals\n\x0cFederal Deposit Insurance Corporation                                           Office of Audits and Evaluations\n3501 Fairfax Drive, Arlington, Virginia 22226                                        Office of Inspector General\n\n\nDATE:                                       August 21, 2014\n\nMEMORANDUM TO:                              Doreen R. Eberley, Director\n                                            Division of Risk Management Supervision\n\n\n                                            /Signed/\nFROM:                                       Stephen M. Beard\n                                            Deputy Inspector General for Audits and Evaluations\n\nSUBJECT:                                    The FDIC\xe2\x80\x99s Response to Bank Secrecy Act and Anti-Money\n                                            Laundering Concerns Identified at FDIC-Supervised\n                                            Institutions (Report No. AUD-14-009)\n\n\nThis report presents the results of our audit of the FDIC\xe2\x80\x99s response to Bank Secrecy Act\n(BSA) and Anti-Money Laundering (AML) concerns identified during examinations of\nFDIC-supervised financial institutions.1 FDIC-supervised financial institutions are\nresponsible for developing and administering a program to assure and monitor\ncompliance with the BSA and related regulations (referred to herein as a BSA\nCompliance Program). The FDIC is responsible for regularly reviewing BSA\nCompliance Programs, communicating identified deficiencies and apparent violations to\nthe institution\xe2\x80\x99s management and Board of Directors (and other regulatory authorities, as\nappropriate), and taking supervisory action to address the associated risks.\n\nThe audit objective was to determine how the FDIC has responded to BSA/AML\nconcerns identified in reports of examination. To address this objective, we determined\nthe extent and types of supervisory actions that the FDIC has taken to address BSA/AML\nconcerns. We also assessed the extent to which supervisory actions, including referrals\nof apparent violations to other federal agencies, comply with applicable statutes;\ninteragency policy and guidance; and FDIC policies, procedures, and guidelines. Further,\nwe evaluated the consistency of the Division of Risk Management Supervision\xe2\x80\x99s (RMS)\nRegional Offices in applying BSA/AML-related policies, procedures, and guidelines.\nWe based our conclusions, in part, on a detailed analysis of supervisory actions taken to\naddress BSA/AML concerns for a non-statistical sample of 51 financial institutions.2\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Appendix 1 of this report includes additional information about our\nobjective, scope, and methodology; Appendix 2 contains a glossary of key terms;\nAppendix 3 contains a list of acronyms and abbreviations; Appendix 4 contains the\n\n1\n  The BSA is sometimes referred to as an anti-money laundering law or jointly as BSA/AML. Terms that\nare underlined when first used in this report are defined in Appendix 2, Glossary of Terms.\n2\n  A non-statistical sample is judgmental and cannot be projected to the population. See Appendix 1 for\ndetails regarding our sampling methodology.\n\x0cCorporation\xe2\x80\x99s comments on this report; and Appendix 5 contains a summary of the\nCorporation\xe2\x80\x99s corrective actions.\n\n\nBackground\nIn 1970, the Congress passed the Currency and Foreign Transactions Reporting Act\xe2\x80\x94\ncommonly referred to as the BSA\xe2\x80\x94to facilitate the detection and prevention of money\nlaundering. The statute established certain requirements for recordkeeping and reporting\nby private individuals, banks, and other financial institutions to help identify the source,\nvolume, and movement of currency and other monetary instruments transported or\ntransmitted into or out of the United States or deposited in financial institutions.\nSpecifically, the BSA requires individuals, banks, and other financial institutions to file\ncurrency reports with the Department of the Treasury (the Treasury), properly identify\npersons conducting transactions, and maintain appropriate records of financial\ntransactions. Such records enable law enforcement and regulatory agencies to pursue\ninvestigations of criminal, tax, and regulatory violations, if warranted, and provide\nevidence useful in prosecuting money laundering and other financial crimes.\n\nIncreasingly sophisticated money laundering activities and growing concerns about\nterrorist financing prompted the Congress to enact a number of amendments to the BSA\nsince its passage in 1970. One such amendment was the Uniting and Strengthening\nAmerica by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism\nAct of 2001 (also known as the USA PATRIOT Act). This legislation, which was\nenacted after the September 11, 2001, terrorist attacks on the United States, was intended\nto facilitate the prevention, detection, and prosecution of international money laundering\nand the financing of terrorism.\n\nThe Treasury\xe2\x80\x99s Financial Crimes Enforcement Network (FinCEN) has overall\nresponsibility for the administration and enforcement of the BSA. In this role, FinCEN is\nresponsible for (among other things) issuing regulations and interpretative guidance,\nengaging in industry outreach activities, providing investigative case support to law\nenforcement, and pursuing civil money penalties (CMPs) against entities and individuals,\nwhen warranted. In addition, the federal banking agencies, including the FDIC, have\nstatutory authority to regulate and examine the financial institutions under their\nsupervision for BSA/AML compliance.3 Specifically, section 8(s) of the Federal Deposit\nInsurance Act (FDI Act) (codified to 12 U.S.C. 1818(s)) requires the federal banking\nagencies to prescribe BSA-related regulations, review BSA Compliance Programs during\nexaminations, describe any identified problems in reports of examination, and issue\n\n\n\n3\n  The federal banking agencies consist of the FDIC, the Board of Governors of the Federal Reserve System,\nthe Office of the Comptroller of the Currency, and the National Credit Union Administration. Other\nfederal agencies (i.e., the Securities and Exchange Commission, the Commodity Futures Trading\nCommission, and the Internal Revenue Service) also have BSA compliance-related responsibilities for\ncertain entities.\n\n\n                                                   2\n\x0cformal orders under certain circumstances.4 FinCEN relies on the federal banking\nagencies to examine financial institutions for BSA compliance and coordinates with the\nagencies when pursuing CMPs.\n\nRequirements for FDIC-Supervised Institutions\nSection 326, Subpart B, Procedures for Monitoring Bank Secrecy Act Compliance, of the\nFDIC Rules and Regulations requires FDIC-supervised financial institutions to establish\nand maintain procedures reasonably designed to assure and monitor compliance with the\nrequirements of the BSA and the implementing regulations promulgated thereunder by\nthe Treasury at 31 Code of Federal Regulations (C.F.R.) Chapter X. These procedures,\nalso known as BSA Compliance Programs, must be in writing and approved by the\ninstitution\xe2\x80\x99s Board of Directors. At a minimum, each BSA Compliance Program must\ninclude:\n\n    \xef\x82\xb7    a system of internal controls to assure ongoing compliance with the BSA,\n\n    \xef\x82\xb7    independent testing for BSA/AML compliance,\n\n    \xef\x82\xb7    a designated individual or individuals responsible for coordinating and monitoring\n         day-to-day BSA/AML compliance, and\n\n    \xef\x82\xb7    training for appropriate personnel.\n\nIn addition, section 326 requires BSA Compliance Programs to include a Customer\nIdentification Program with risk-based procedures that enable the institution to form a\nreasonable belief that it knows the true identity of its customers. The Customer\nIdentification Program and the four program requirements outlined above are referred to\nas the \xe2\x80\x9cpillars\xe2\x80\x9d of a successful BSA Compliance Program.\n\nThe FDIC\xe2\x80\x99s BSA/AML Program\nWithin the FDIC, RMS has primary responsibility for examining financial institutions for\ncompliance with the BSA and related regulations. RMS\xe2\x80\x99 Anti-Money Laundering and\nRisk Analysis Branch in the Washington, D.C. Office provides overall direction for the\nBSA/AML program, including policy development, administration of the examination\nprocess, and coordination with outside agencies, such as FinCEN, the Department of\nJustice (DOJ), and other federal banking agencies. Because RMS considers BSA\ncompliance to be a matter of safety and soundness, each on-site risk management\nexamination includes an assessment of the institution\xe2\x80\x99s BSA Compliance Program.5 In\n\n4\n  Formal orders, also known as enforcement actions, refer to Cease-and-Desist Orders (C&D) or Consent\nOrders. Our report also references informal actions, which are typically Bank Board Resolutions (BBR) or\nMemoranda of Understanding (MOU).\n5\n  In general, the FDIC is required to conduct on-site examinations of the institutions it supervises at least\nonce every 12 months. The annual examination interval may be increased to 18 months for small\ninstitutions under certain circumstances.\n\n\n                                                      3\n\x0caddition, RMS may conduct on-site BSA visitations between examinations to determine\nchanges in an institution\xe2\x80\x99s risk profile, monitor compliance with a corrective program,\ninvestigate adverse or unusual situations, or determine progress in correcting deficiencies.\nTable 1 contains selected statistics related to BSA examinations and visitations conducted\nby the FDIC and/or applicable state regulator during the fiscal years ended September 30,\n2010-2013.\n\nTable 1: Selected Statistics Pertaining to BSA Examinations and Visitations\n Fiscal Year Ended September 30                                        2010        2011        2012      2013\n\n Number of FDIC-Supervised Financial Institutions                       4,785       4,651      4,516      4,354\n\n Number of BSA Examinations and Visitations Conducted                   3,918       3,917      3,722      3,523\n  FDIC Examinations*                                                    2,722       2,815      2,678      2,413\n  FDIC Visitations                                                         42          31         39         50\n  State Banking Agency Examinations**                                   1,154       1,071      1,005      1,060\nSource: OIG analysis of annual and quarterly reports submitted by the FDIC to FinCEN.\n* Includes examinations conducted jointly with state banking agencies.\n** Reflects examinations conducted by state banking agencies and reviewed by the FDIC under an established joint or\nalternate examination program where the examination is not conducted jointly with the FDIC.\n\n\nThe FDIC\xe2\x80\x99s primary system of record for recording information about BSA examinations\nand related supervisory activities is the Virtual Supervisory Information on the Net\n(ViSION). A number of other FDIC supervisory information systems are also used to\nrecord BSA/AML information.\n\nKey Policies, Procedures, and Guidelines\nThe federal banking agencies have issued various policies and guidance that are intended\nto promote a consistent supervisory approach for addressing BSA/AML risks and\ncompliance at insured institutions. These include the:\n\n    \xef\x82\xb7    Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money\n         Laundering Requirements (Interagency Policy Statement). Issued in July 2007,\n         the Interagency Policy Statement sets forth the federal banking agencies\xe2\x80\x99 policy\n         on the circumstances in which an agency will issue a C&D to address\n         noncompliance with certain BSA/AML requirements.\n\n    \xef\x82\xb7    Bank Secrecy Act/Anti-Money Laundering Examination Manual. Issued by the\n         Federal Financial Institutions Examination Council (FFIEC) in June 2005 (and\n         updated in April 2010), the manual provides an overview of BSA/AML\n         requirements, risks and risk management expectations, sound industry practices,\n         and examination procedures.\n\nIn addition, the FDIC has issued BSA/AML-related policies, procedures, and guidelines\nto its examination staff. For example, the Risk Management Manual of Examination\nPolicies contains procedures for assessing BSA Compliance Programs and addressing\nrelated concerns; the Formal and Informal Action Procedures Manual provides\n\n\n                                                         4\n\x0cguidelines regarding when and under what circumstances informal or formal supervisory\nactions should be considered; and other RMS policies, procedures, and guidelines address\nvarious BSA-related supervisory activities, such as issuing enforcement actions, referring\napparent violations to FinCEN, and planning for examinations and testing transactions.\nIn addition, RMS Regional Offices have issued supplemental procedures for monitoring\nfinancial institutions with significant BSA/AML problems. Finally, the FDIC has issued\nFinancial Institution Letters and conducted industry outreach activities to address\nBSA/AML issues and risks.\n\n\nAudit Results\nThe FDIC responds to BSA/AML concerns identified in reports of examination through\nthe implementation of supervisory actions. Such actions can range from examiner\nrecommendations that address isolated BSA/AML deficiencies to formal enforcement\nactions that address systemic weaknesses in BSA Compliance Programs. Serious BSA\nconcerns can also result in referrals to FinCEN for CMPs. During the 4-year period\nOctober 1, 2009, through September 30, 2013, the FDIC and/or applicable state regulator\ncited FDIC-supervised institutions for 3,294 apparent violations of BSA-related\nregulations, agreed to or issued 175 BSA/AML-related informal and formal enforcement\nactions, and made 22 referrals to FinCEN for CMPs.\n\nOur review of the FDIC\xe2\x80\x99s supervisory actions to address BSA/AML concerns at selected\nfinancial institutions found that the actions were generally consistent with applicable\nstatutory requirements; interagency policy and guidance; and FDIC policies, procedures,\nand guidelines. However, we did identify instances in which a formal enforcement action\nto address BSA Compliance Program failures and/or repeat apparent violations of BSA\nprogram requirements may have been warranted or taken earlier. We also identified a\npotential control improvement with respect to recording in ViSION the status and\ndisposition of referrals to FinCEN for the issuance of CMPs.\n\nRMS\xe2\x80\x99 Regional Offices generally appeared to apply BSA/AML-related policies,\nprocedures, and guidelines in a consistent manner for the institutions that we reviewed.\nHowever, Regional Office procedures for monitoring institutions with significant\nBSA/AML problems were not always current. In addition, we noted differences among\nthese Regional Office procedures that warrant review by RMS management.\n\nReviewing and addressing the above issues, as appropriate, will provide the FDIC with\ngreater assurance that its supervisory responses to BSA/AML concerns are consistent and\ncompliant with applicable statutory requirements; interagency policy and guidance; and\nFDIC policies, procedures, and guidelines.\n\nWe identified certain other matters that we did not consider significant in the context of\nthe audit results, and we communicated those separately to appropriate FDIC\nmanagement officials.\n\n\n\n                                             5\n\x0cSupervisory Actions to Address BSA/AML Concerns\nExaminers are responsible for documenting deficiencies in BSA Compliance Programs\nand apparent violations of BSA-related regulations in reports of examination and\nvisitation reports and providing these reports to the institution\xe2\x80\x99s management and Board\nof Directors. Deficiencies and apparent violations can often be successfully addressed\nthrough examiner recommendations and/or discussions with the institution\xe2\x80\x99s management\nand Board of Directors. However, serious concerns, such as BSA Compliance Program\nfailures or repeat apparent violations of BSA program requirements, may require stronger\nsupervisory action, such as an informal or formal enforcement action. Table 2 contains\nselected statistics related to BSA/AML supervisory actions taken by the FDIC for the\nfiscal years ended September 30, 2010-2013.\n\nTable 2: Selected Statistics Pertaining to BSA/AML Supervisory Actions\n Fiscal Year Ended September 30                                     2010        2011    2012   2013\n\n Number of Financial Institutions Cited for Apparent                490         498     463    435\n Violations\n\n Number of Apparent Violations Cited                                806         920     818    750\n\n Number of Informal and Formal Actions Imposed on FDIC-             43          42      42     48\n supervised Financial Institutions\n   Formal Actions                                                   11          18      16     19\n   Informal Actions                                                 32          24      26     29\nSource: OIG analysis of annual and quarterly reports submitted by the FDIC to FinCEN.\n\n\nSerious BSA/AML concerns can also result in referrals to FinCEN for CMPs against an\ninstitution or its partners, directors, officers, or employees. During the 4-year period\ncovered in the table above, the FDIC made 22 referrals to FinCEN for the issuance of\nCMPs. During the same period, a total of five BSA-related CMPs were issued against\nFDIC-supervised institutions totaling $27,775,000. In cases involving apparent willful\nviolations of money laundering statutes, FinCEN may also engage DOJ for possible\ncriminal prosecution.\n\nOur review of selected reports of examination and visitation reports for a non-statistical\nsample of 51 financial institutions found that the reports identified the specific BSA\nregulations that were violated, the nature and causes of the apparent violations, the\nrecommended corrective actions, and the institutions\xe2\x80\x99 management responses. Further,\nfollow-up examinations and visitations were generally conducted in a timely manner.\n\n\n\n\n                                                        6\n\x0cCompliance with Applicable Statutes; Interagency\nPolicy and Guidance; and FDIC Policies, Procedures,\nand Guidelines\nOur review of the FDIC\xe2\x80\x99s supervisory actions to address BSA/AML concerns at selected\nfinancial institutions found that the actions were generally consistent with applicable\nstatutory requirements, interagency policy and guidance, and FDIC policies, procedures,\nand guidelines. However, as described below, we did identify potential control\nimprovements with respect to the use of formal enforcement actions to address significant\nBSA/AML concerns and recording the status and disposition of referrals to FinCEN for\nCMPs.\n\nUse of Cease and Desist Orders to Address Significant\nBSA/AML Concerns\nSection 8(s)(3) of the FDI Act states that the appropriate federal banking agency shall\nissue a C&D against an insured depository institution that fails to (a) establish and\nmaintain a reasonably designed BSA Compliance Program or (b) correct any previously\nreported problem with a BSA Compliance Program. In light of these requirements, the\nfederal banking agencies issued the Interagency Policy Statement that defines the\ncircumstances in which the agencies will issue a C&D to address noncompliance with\nBSA/AML requirements. Specifically, the Interagency Policy Statement explains that the\nappropriate federal banking agency will issue a C&D, based on a careful review of\nrelevant facts and circumstances, if an institution:\n\n   \xef\x82\xb7   Fails to have a written BSA Compliance Program, including a Customer\n       Identification Program, that adequately covers the required program elements\n       (i.e., internal controls, independent testing, designated compliance personnel, and\n       training); or\n\n   \xef\x82\xb7   Fails to implement a BSA Compliance Program that adequately covers the\n       required program elements; or\n\n   \xef\x82\xb7   Has defects in its BSA Compliance Program in one or more program elements\n       that indicate either the written program or its implementation is not effective.\n\nFor example, an institution that has procedures to provide training to appropriate\npersonnel, independent testing, and a designated BSA Compliance Officer, would still be\nsubject to a C&D if its system of internal controls (such as customer due diligence,\nprocedures for monitoring suspicious activity, or an appropriate risk assessment) fails\nwith respect to a high-risk area or to multiple lines of business that significantly impact\nthe institution\xe2\x80\x99s overall BSA compliance. However, other types of deficiencies in a BSA\nCompliance Program or in the implementation of one or more of the required program\nelements may not result in the issuance of a C&D, unless the deficiencies are so severe as\nto render the BSA Compliance Program ineffective when viewed as a whole.\n\n\n                                             7\n\x0cThe Interagency Policy Statement also states that a C&D will be issued, based on a\ncareful review of relevant facts and circumstances, if an institution fails to correct a\npreviously reported problem with its BSA Compliance Program.6 For example, failure to\ntake any action in response to an express criticism in a report of examination regarding a\nfailure to appoint a qualified BSA Compliance Officer could be viewed as an uncorrected\nproblem that would result in a C&D. However, a failure to correct a BSA Compliance\nProgram problem would not ordinarily require a C&D unless the deficiencies\nsubsequently found are substantially the same as those previously reported to the\ninstitution.\n\nAnalysis of Supervisory Actions at Selected Institutions\n\nWe reviewed the FDIC\xe2\x80\x99s supervisory actions to address significant BSA/AML concerns\nfor a non-statistical sample of 15 financial institutions. In all 15 cases, examiners had\ncriticized the institution in a report of examination or visitation report for failing to have\nan adequate BSA Compliance Program and/or to correct a previously reported violation\nof a BSA program requirement. Consistent with applicable statutory requirements, the\nInteragency Policy Statement, and FDIC policies, procedures, and guidelines, we found\nthat the FDIC had issued (or was in the process of issuing) a BSA-related C&D or\nConsent Order against 12 of the 15 institutions to address the identified concerns.\nHowever, for two of the remaining three institutions, examiners recommended in a report\nof examination that the identified BSA/AML concerns be corrected, but no BSA-related\nenforcement action was taken. For the other institution, the FDIC coordinated the\nadoption of a BBR. Based on our review of the circumstances for these three institutions,\nformal enforcement actions may have been warranted. A brief description of the\ncircumstances pertaining to these three institutions follows, including RMS\xe2\x80\x99 rationale for\nthe supervisory approach applied in these cases.\n\n    \xef\x82\xb7   A May 2012 report of examination stated that an institution\xe2\x80\x99s BSA Compliance\n        Program was inadequate; made recommendations for the institution to develop an\n        adequate BSA Compliance Program to include appointing a BSA Compliance\n        Officer, providing a system of internal controls, scheduling and performing\n        independent reviews of the institution\xe2\x80\x99s BSA Compliance Program, and providing\n        and documenting training to appropriate personnel; and cited apparent violations\n        of all five program requirements in section 326.8 of the FDI Act. One of the\n        violations was a repeat violation. At the time of the examination, the institution\n        had been operating under a Consent Order for safety and soundness issues since\n        December 2008. Examiners initially intended to modify the Consent Order after\n        the May 2012 examination to address the apparent BSA violations. However,\n        RMS officials informed us that a modification was not issued because CMPs\n\n\n6\n In order to be considered a \xe2\x80\x9cproblem\xe2\x80\x9d within the meaning of section 8(s)(3)(B), a deficiency would\nordinarily involve a serious defect in one or more of the required components of the BSA Compliance\nProgram (or implementation thereof) that a report of examination or other written supervisory\ncommunication identifies as requiring communication to the institution\xe2\x80\x99s Board of Directors or senior\nmanagement as a matter that must be corrected.\n\n\n                                                    8\n\x0c    against the institution were being considered for non-compliance with the Consent\n    Order.\n\n    A December 2012 visitation report indicated that the institution was taking steps\n    to improve its BSA Compliance Program, but that an independent review of the\n    program had resulted in 29 recommendations for improvement. The June 2013\n    report of examination indicated that the institution\xe2\x80\x99s BSA Compliance Program\n    was adequate, although the report also made recommendations in the areas of\n    BSA training and the institution\xe2\x80\x99s Enhanced Due Diligence program.\n\n\xef\x82\xb7   A March 2012 report of examination cited a repeat apparent violation for an\n    institution\xe2\x80\x99s failure to train appropriate personnel and recommended training for\n    the BSA Compliance Officer. At the time of the examination, the institution had\n    been operating under a Consent Order for safety and soundness issues since July\n    2010. RMS officials informed us that the Consent Order was not modified to\n    address the repeat apparent violation because the institution hired a BSA\n    Compliance Officer during the examination and provided training 2 months after\n    the examination was completed. The BSA Compliance Officer resigned before\n    the start of the April 2013 examination and a new BSA Compliance Officer was\n    appointed during the examination. As a result of this examination, examiners\n    cited four apparent violations, including ineffective internal controls, a failure to\n    designate a BSA Compliance Officer, a failure to provide adequate BSA training,\n    and a failure to file a timely suspicious activity report. Additionally, the\n    April 2013 report of examination included recommendations to strengthen\n    BSA/AML internal controls to adequately monitor and control the BSA function.\n    A modified Consent Order was drafted but not implemented before the institution\n    was closed in October 2013.\n\n\xef\x82\xb7   An October 2012 report of examination cited a repeat apparent violation for an\n    institution\xe2\x80\x99s failure to provide adequate BSA/AML internal controls. The report\n    indicated that although some effort had been made to improve the BSA\n    Compliance Program after the prior examination, numerous BSA control issues\n    remained, including significant turnover in the BSA Compliance Officer position,\n    system limitations, noncompliance with reporting requirements, and a lack of\n    familiarity with BSA regulatory requirements by institution personnel. The report\n    included recommendations addressing each of these areas. The institution was\n    already operating under a BBR to address apparent BSA violations identified\n    during the prior examination. The BBR was modified in May 2013 to address the\n    BSA/AML concerns identified during the October 2012 examination. RMS\n    officials informed us that they did not pursue a Consent Order because the bank\n    had made significant strides in improving its BSA Compliance Program and RMS\n    considered the underlying issues leading to the repeat apparent violation to be\n    different from the prior examination. The November 2013 report of examination\n    indicated that the institution\xe2\x80\x99s BSA Compliance Program was satisfactory,\n    although the report did recommend improvements to the institution\xe2\x80\x99s risk\n    assessment policies.\n\n\n                                          9\n\x0cWe also noted that a formal enforcement action to address BSA/AML concerns at one of\nthe 12 institutions could have been implemented sooner. Specifically, a May 2012\nvisitation report stated that an institution\xe2\x80\x99s BSA Compliance Program was unsatisfactory\nand cited an apparent violation related to internal controls. The July 2012 examination\nreiterated the results of the May 2012 visitation. In October 2012, the FDIC entered into\nan MOU with the institution to address (among other things) the BSA/AML concerns. A\nFebruary 2013 visitation report stated that the institution\xe2\x80\x99s BSA Compliance Program\nremained unsatisfactory and described continuing systemic BSA/AML weaknesses. The\nreport cited a repeat apparent violation related to internal controls and a new violation for\na failure to designate a BSA Compliance Officer. The August 2013 report of\nexamination stated that systemic BSA weaknesses continued to exist and cited two repeat\napparent violations. Based on the results of the August 2013 examination, the FDIC\nissued a Consent Order in February 2014.\n\nWe recognize that in two of the four instances discussed above, the institutions took\naction to improve their BSA Compliance Programs. Nevertheless, issuing a formal\nenforcement action would have established a supervisory tenor of expectations consistent\nwith the Interagency Policy Statement.\n\nWe discussed the results of our analysis with RMS officials in the Anti-Money\nLaundering and Risk Analysis Branch. During those discussions, these officials\nindicated that additional steps could be taken to enhance their processes and approach for\ndetermining supervisory responses to address significant BSA/AML concerns. For\nexample, the officials acknowledged that it would be prudent to document the rationale\nfor not pursuing a formal enforcement action to address an inadequate BSA Compliance\nProgram or correct a previously-reported apparent violation of a BSA program\nrequirement, as in the instances described above. In our view, such decisions should also\nrequire the written concurrence of the Anti-Money Laundering and Risk Analysis\nBranch. These RMS officials also indicated that they were considering the adoption of\nnew metrics and greater use of data analytics to facilitate the identification of BSA/AML\nproblems at institutions and their communications with the Regional Offices.\n\nRecommendation\n\nWe recommend that the Director, RMS:\n\n   1. Review and enhance, as appropriate, RMS\xe2\x80\x99 processes and approach for\n      determining supervisory responses to inadequate BSA Compliance Programs\n      and/or repeat apparent violations of BSA program requirements.\n\nRecording Information in ViSION About Referrals to FinCEN\nRMS has established a series of Action Codes within ViSION that indicate whether an\ninstitution is subject to certain supervisory actions or activities. For example, Action\nCodes indicate whether an institution is subject to an informal action, a formal\nenforcement action, a referral to FinCEN for CMPs, or has one or more repeat apparent\n\n\n\n                                             10\n\x0cBSA program violations. RMS policy requires that certain Action Codes be\naccompanied by a comment in ViSION by the Washington Office.\n\nWe reviewed a non-statistical sample of 35 financial institutions with Action Codes\nrequiring a comment in ViSION to determine whether the required comment had, in fact,\nbeen recorded in the system. Each of the 35 institutions had one or more Action Codes\nindicating that the institution was the subject of (a) an informal action, (b) a formal\nenforcement action, and/or (c) a referral to FinCEN for CMPs.7 Of the 34 institutions in\nour sample that had Action Codes indicating an informal or formal enforcement action,\nall contained comments related to the actions. However, ViSION did not contain\ncomments for 8 of 10 institutions in our sample that had Action Codes indicating a\nreferral to FinCEN for CMPs. Absent such comments, we were unable to determine\nwhether the referrals had been returned by FinCEN without action or what supervisory\naction, if any, RMS planned to take.\n\nWe spoke with RMS officials in the Anti-Money Laundering and Risk Analysis Branch\nabout the exceptions we identified and learned that it was not their practice to include\ncomments in ViSION about referrals to FinCEN. Rather, information about referrals,\nincluding their status and communications with FinCEN, is maintained outside of\nViSION in an Excel spreadsheet in the Washington, D.C. Office.8 The RMS officials\nexplained that the status of referrals to FinCEN generally does not change significantly\nwhile FinCEN is reviewing a referral and that including comments in ViSION about\nreferrals would be of little benefit. Nevertheless, RMS officials acknowledged that their\npractices in this area should be consistent with RMS policy and that they would\ncoordinate with the Regional Offices to determine whether current practices, policy, or\nboth, should be modified. As part of this effort, RMS should clarify the nature of\ninformation that should be maintained about referrals to ensure consistency.\n\nRecommendation\n\nWe recommend that the Director, RMS:\n\n    2. Review and modify, as appropriate, RMS policy and practices for recording the\n       status and disposition of referrals to FinCEN for CMPs.\n\n\nRegional Office Consistency in Applying BSA/AML-\nrelated Policies, Procedures, and Guidelines\nThe FDIC has established a number of controls to promote consistency among RMS\nRegional Offices in applying BSA-related policies, procedures, and guidelines. Such\n\n7\n  Nine of the institutions had two Action Codes (i.e., a formal enforcement action and a referral to FinCEN\nfor CMPs).\n8\n  With respect to the eight exceptions we identified, RMS officials informed us that FinCEN had returned\nsix referrals to the FDIC without taking action. FinCEN was still reviewing the remaining two referrals.\n\n\n                                                    11\n\x0ccontrols included, for example, bi-monthly meetings between the Regional Offices and\nthe Anti-Money Laundering and Risk Analysis Branch to discuss BSA/AML problem\ninstitutions, the examination report review process, and periodic internal reviews by\nRMS\xe2\x80\x99 Internal Control and Review Section. In addition, RMS\xe2\x80\x99 Regional Offices\ngenerally appeared to apply BSA-related policies, procedures, and guidelines in a\nconsistent manner for the institutions that we reviewed. However, Regional Office\nprocedures for monitoring institutions with significant BSA/AML problems, including\nmaintenance of BSA Supervisory Watchlists, were not always current. In addition, we\nnoted differences among these Regional Office procedures that warrant review by RMS\nmanagement. Reviewing and updating these procedures will promote consistency in\naddressing BSA/AML issues across the Regional Offices.\n\nRegional Office Procedures for Monitoring Institutions with\nSignificant BSA/AML Problems\nEach of RMS\xe2\x80\x99 six Regional Offices has established written procedures to help identify\nand track financial institutions with significant BSA/AML problems. These procedures\ngenerally include the establishment and maintenance of BSA Supervisory Watchlists to\nmonitor institutions with significant BSA/AML problems and facilitate the bi-monthly\nmeetings with the Anti-Money Laundering and Risk Analysis Branch. The Regional\nOffice procedures complement other RMS controls designed to promote financial\ninstitution compliance with BSA/AML requirements.\n\nWe reviewed the Regional Office procedures and noted that they did not fully reflect\ncurrent practices in three of the six regions. In addition, we identified a number of\nvariations in the procedures among the Regional Offices, including those described\nbelow.\n\n   \xef\x82\xb7   BSA Supervisory Watchlist. Procedures in four Regional Offices specifically\n       addressed the BSA Supervisory Watchlist; however, procedures in the two\n       remaining Regional Offices did not.\n\n   \xef\x82\xb7   Identification of Problem Institutions. Procedures for determining which\n       financial institutions should be on the BSA Supervisory Watchlist varied among\n       the Regional Offices.\n\n   \xef\x82\xb7   Monitoring and Tracking. Procedures in two Regional Offices addressed\n       adding and removing financial institutions from the BSA Supervisory Watchlists;\n       however, procedures in the four remaining Regional Offices did not.\n\n   \xef\x82\xb7   Notification. Procedures in four Regional Offices referenced the bi-monthly\n       meetings with the Anti-Money Laundering and Risk Analysis Branch to discuss\n       BSA/AML problem institutions; however, procedures in the two remaining\n       Regional Offices did not.\n\n\n\n\n                                           12\n\x0cOur review of the Regional Office procedures and discussions with Regional Office\npersonnel also identified potential best practices that may benefit all Regional Offices.\nWe provided this information to the Anti-Money Laundering and Risk Analysis Branch\nduring the audit for its consideration.\n\nUp-to-date policies and procedures are an important internal control for ensuring that\nprocesses are repeatable and for reducing operational risk associated with staff changes.\nWhile we recognize that differences in Regional Office procedures may evolve over time\nto accommodate the unique characteristics of each region\xe2\x80\x99s institutions, the variations we\nnoted warrant review by RMS management to ensure that a consistent approach is being\ntaken to identify, track, and monitor financial institutions with significant BSA/AML\nproblems.\n\nRecommendation\n\nWe recommend that the Director, RMS:\n\n   3. Review and update, as appropriate, Regional Office procedures for monitoring\n      financial institutions with significant BSA/AML problems to ensure consistency.\n\n\nCorporation Comments and OIG Evaluation\nThe Director, RMS, provided a written response, dated July 31, 2014, to a draft of this\nreport. The response is presented in its entirety in Appendix 4. In the response, the\nDirector concurred with all three of the report\xe2\x80\x99s recommendations. In a separate\ncommunication, an RMS official indicated that all corrective actions described in the\nresponse would be completed by the end of 2014. A summary of the Corporation\xe2\x80\x99s\ncorrective actions is presented in Appendix 5. The planned corrective actions are\nresponsive to the recommendations, and the recommendations are resolved.\n\n\n\n\n                                            13\n\x0c                                                                             Appendix 1\n\n               Objective, Scope, and Methodology\nObjective\n\nThe objective of this performance audit was to determine how the FDIC has responded to\nBSA/AML concerns identified in reports of examination. To address the audit objective,\nwe:\n\n    \xef\x82\xb7 determined the extent and types of supervisory actions that the FDIC took to\n      address BSA/AML concerns;\n\n    \xef\x82\xb7 assessed the extent to which supervisory actions, including referrals of apparent\n      violations to other federal agencies, complied with applicable statutes;\n      interagency policy and guidance; and FDIC policies, procedures, and guidelines;\n      and\n\n    \xef\x82\xb7 evaluated the consistency of RMS\xe2\x80\x99 Regional Offices in applying BSA/AML-\n      related policies, procedures, and guidelines.\n\nWe conducted the audit from April 2013 to May 2014 in accordance with generally\naccepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objective. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objective.\n\nScope and Methodology\n\nTo gain an understanding of the FDIC\xe2\x80\x99s process and approach to responding to\nBSA/AML concerns identified in reports of examination, we:\n\n   \xef\x82\xb7   Identified and became familiar with BSA/AML statutes; interagency policy and\n       guidance; and FDIC policies, procedures, and guidelines. Such criteria included,\n       but was not limited to:\n\n            o Section 8(s), Compliance with Monetary Transaction Recordkeeping and\n              Report Requirements, of the FDI Act;\n            o Section 326.8, Bank Secrecy Act Compliance; section 353, Suspicious\n              Activity Reports; and section 337.12, Frequency of Examination, of the\n              FDIC Rules and Regulations;\n            o Treasury\xe2\x80\x99s 31 CFR Chapter X;\n            o The Interagency Statement on Enforcement of Bank Secrecy Act/Anti-\n              Money Laundering Requirements;\n            o The Memorandum of Understanding between the federal banking agencies\n              and FinCEN regarding information sharing;\n\n\n\n                                            14\n\x0c                                                                             Appendix 1\n\n               Objective, Scope, and Methodology\n           o The Bank Secrecy Act/Anti-Money Laundering Examination Manual\n             published by the FFIEC; and\n           o Relevant provisions of the FDIC\xe2\x80\x99s Risk Management Manual of\n             Examination Policies, the Case Manager Procedures Manual, and the\n             Formal and Informal Action Procedures Manual, and various other RMS\n             policies, procedures, and guidelines.\n\n   \xef\x82\xb7   Conducted a site visit to RMS\xe2\x80\x99 Dallas Field Office in February 2013 to review\n       selected BSA examination workpapers (which were not included in our audit\n       sample described below) and interviewed RMS staff about the BSA examination\n       process, including how deficiencies and apparent violations are addressed.\n\n   \xef\x82\xb7   Interviewed officials in RMS\xe2\x80\x99 Anti-Money Laundering and Risk Analysis Branch\n       in Washington, D.C. to obtain a program-level perspective on BSA/AML risks\n       and issues.\n\n   \xef\x82\xb7   Interviewed FDIC Legal Division staff in the Atlanta, Dallas, New York, and San\n       Francisco Regional Offices and in the Boston Area Office to discuss the FDIC\xe2\x80\x99s\n       approach and processes for issuing informal actions, formal enforcement actions,\n       and referrals to FinCEN for CMPs.\n\n   \xef\x82\xb7   Spoke with FinCEN officials regarding their coordination with the FDIC in\n       addressing BSA/AML issues at FDIC-supervised institutions.\n\n   \xef\x82\xb7   Contacted officials in the Treasury OIG to discuss their audit work related to\n       BSA/AML matters.\n\nAs discussed further below, we relied on data in ViSION for purposes of determining the\nextent and types of supervisory actions taken by the FDIC to address BSA/AML\nconcerns and to select a sample of institutions for detailed analysis. We determined that\nthe data in this system was sufficiently reliable for these purposes by comparing selected\ndata to various reports and documents generated by other information systems and to\nreports of examination and through discussions with management.\n\nWith respect to determining the extent and types of supervisory actions taken by the\nFDIC to address BSA/AML concerns, we reviewed quarterly and annual reports that the\nFDIC submitted to FinCEN covering the period October 1, 2009, to September 30, 2013,\nand reports generated by ViSION that identify (a) institutions with one or more apparent\nviolations of BSA/AML requirements and (b) certain types of supervisory actions\napplicable to those institutions. The ViSION reports we reviewed were generated as of\nApril 2, 2013, and covered all FDIC-supervised financial institutions with an examination\nstart date between January 1, 2011, and December 31, 2012. A total of 938 institutions\nwere included in the reports.\n\n\n\n                                            15\n\x0c                                                                                             Appendix 1\n\n                  Objective, Scope, and Methodology\nTo assess the extent to which the FDIC\xe2\x80\x99s supervisory actions complied with applicable\nstatutes; interagency policy and guidance; and FDIC policies, procedures, and guidelines,\nwe analyzed the supervisory actions pertaining to a non-statistical sample of 51 FDIC-\nsupervised financial institutions. Of particular note, our audit procedures included\nanalyses to determine whether the FDIC had complied with selected provisions of\nsection 8(s) of the FDI Act and whether institutions were in compliance with section\n326.8 of the FDIC Rules and Regulations. A description of our sampling methodology\nfollows.\n\nWe initially selected 74 institutions from the universe of 938 institutions in the ViSION\nreports described above. The 74 institutions consisted of (a) 46 institutions with an\ninformal or formal BSA/AML enforcement action and/or a referral to FinCEN for CMPs\nand (b) 28 institutions without a supervisory action or referral to FinCEN. We selected\nthe group of 46 institutions by randomly choosing up to 10 institutions under the\nsupervision of each RMS Regional Office.9 We chose these institutions in such a manner\nas to obtain a mix of supervisory action types. We selected the group of 28 institutions\nby randomly choosing up to 5 institutions under the supervision of each RMS Regional\nOffice. We consulted with a statistician in the FDIC\xe2\x80\x99s Division of Insurance and\nResearch in developing our sampling methodology.\n\nAfter analyzing the supervisory actions for 51 of the 74 institutions that we initially\nselected, it became evident to us that we had sufficient evidence to address our audit\nobjective. Tables 3 and 4 provide a breakdown of the number of institutions that we\ninitially selected and the number of institutions that we actually reviewed.\n\nTable 3: Institutions with Informal and Formal Supervisory Actions and Referrals\n Regional       C&Ds or          Informal   Referrals to  Total        Total\n Office         Consent          Actions    FinCEN for    Initially    Reviewed\n                Orders                      CMPs          Selected\n Atlanta        4                3          3             10           10\n Chicago        4                3          3             10           10\n Dallas         3                3          0             6            3\n Kansas City    3                3          0             6            3\n New York       1                3          3             7            4\n San            3                3          1             7            5\n Francisco\n Totals         18               18         10            46           35\nSource: OIG analysis of ViSION reports.\n\n\n\n\n9\n  We selected at least three institutions per Regional Office for each category of supervisory action during\nthe period of our review, but in some regions there were fewer than three institutions in each category. In\nthose cases, we selected all of the supervisory actions that existed in those categories.\n\n\n                                                     16\n\x0c                                                                           Appendix 1\n\n              Objective, Scope, and Methodology\nTable 4: Institutions Without Informal and Formal Supervisory Actions and Referrals\n Regional Office                Total Initially Selected Total Reviewed\n Atlanta                        4                        4\n Chicago                        4                        4\n Dallas                         5                        2\n Kansas City                    5                        2\n New York                       5                        2\n San Francisco                  5                        2\n Total                          28                       16\nSource: OIG analysis of ViSION reports.\n\nOur analysis of the 51 institutions was generally limited to information in reports of\nexamination, visitation reports, and the FDIC\xe2\x80\x99s ViSION and other supervisory\ninformation systems. Our analysis did not include a review of examination workpapers\nto determine whether examiners had identified all relevant BSA/AML deficiencies and\napparent violations or made all relevant referrals to FinCEN. However, we did speak\nwith RMS officials in the Anti-Money Laundering and Risk Analysis Branch to discuss\nthe results of our analyses and the exceptions we identified.\n\nWith respect to our assessment of the FDIC\xe2\x80\x99s consistency in applying BSA-related\npolicies, procedures, and guidelines, we used the same sample of 51 institutions\ndescribed above. We also reviewed Regional Office procedures for identifying and\ntracking financial institutions with significant BSA/AML problems (including those on\nthe BSA Supervisory Watchlist). Further, we spoke with RMS officials in all six\nRegional Offices about the procedures.\n\nWe performed our audit work at the FDIC\xe2\x80\x99s offices in Dallas, Texas; Arlington, Virginia;\nand Washington, D.C.\n\n\n\n\n                                           17\n\x0c                                                                           Appendix 2\n\n\n                             Glossary of Terms\n      Term                                        Definition\n\nApparent         In the context of a BSA examination, an apparent violation is a\nViolation        failure on the part of a financial institution to comply with a relevant\n                 provision of a BSA-related regulation, most notably Treasury\xe2\x80\x99s 31\n                 C.F.R. Chapter X, which establishes the minimum recordkeeping\n                 and reporting requirements for currency and foreign transactions by\n                 financial institutions, or section 326, Subpart B, Procedures for\n                 Monitoring Bank Secrecy Act Compliance, of the FDIC Rules and\n                 Regulations. Apparent violations that are considered to be\n                 significant should be reviewed by the FDIC for referral to FinCEN\n                 for issuance of CMPs. Apparent violations should be communicated\n                 to the institution via a written communication, most often through\n                 the report of examination, and reported to FinCEN.\nBank Board       An informal commitment adopted by a financial institution\xe2\x80\x99s Board\nResolution       of Directors (often at the request of the FDIC) directing the\n(BBR)            institution\xe2\x80\x99s personnel to take corrective action regarding specific\n                 deficiencies. BBRs may be used to strengthen and monitor an\n                 institution\xe2\x80\x99s progress with regard to a particular component rating or\n                 activity.\nBank Secrecy     In 1970, Congress passed the Currency and Foreign Transactions\nAct and Anti-    Reporting Act, commonly referred to the BSA (Public Law 91-508).\nMoney            This legislation established reporting and other AML requirements\nLaundering       for domestic financial institutions. Due to the increased\n(BSA/AML)        sophistication of money laundering activities and concerns about\n                 terrorist financing, Congress expanded AML legislation to cover\n                 more types of institutions involved in a broader range of financial\n                 transactions. For example, in 2001, Congress enacted the USA\n                 PATRIOT Act to strengthen reporting and AML requirements for\n                 securities firms, futures firms, money services businesses, and other\n                 financial institutions. The BSA is sometimes referred to as an AML\n                 statute, or jointly as BSA/AML.\nBSA Compliance An individual designated as being responsible for managing BSA\nOfficer          compliance.\nBSA Supervisory Listings of FDIC-supervised financial institutions that have\nWatchlists       significant BSA/AML problems. Each RMS Regional Office\n                 maintains its own BSA Supervisory Watchlist. The watchlists serve\n                 as management tools to facilitate the oversight and monitoring of the\n                 institutions.\nCease-and-Desist A formal enforcement action issued to stop violations of law, rule, or\nOrder (C&D) or regulation, or unsafe or unsound banking practices, as well as to\nConsent Order    require affirmative action to correct any conditions resulting from\n                 such violations or practices. C&Ds may be issued after notice and\n                 hearing, and Consent Orders after stipulation by the institution. By\n\n\n                                           18\n\x0c                                                                          Appendix 2\n\n\n                          Glossary of Terms\n                  ordering an institution to cease and desist from violations or\n                  practices and/or to take affirmative actions, the FDIC may prevent\n                  the institution\xe2\x80\x99s problems from reaching such serious proportions as\n                  to require more severe corrective measures. Sections 8(b) and\n                  8(s)(3) of the FDI Act authorize the FDIC to issue formal orders.\nCivil Monetary    Section 8(i) of the FDI Act grants the FDIC authority to impose\nPenalties (CMP)   CMPs against insured depository institutions and institution-\n                  affiliated parties. CMPs may be assessed for violations of final and\n                  temporary orders, written agreements with the FDIC, and laws and\n                  regulations; unsafe and unsound practices; and breaches of fiduciary\n                  duty. When significant apparent violations of the BSA, or cases of\n                  willful and deliberate violations of 31 C.F.R. Chapter X or section\n                  326.8 of the FDIC Rules and Regulations are identified at a state\n                  nonmember financial institution, examiners should determine if a\n                  recommendation for CMPs is appropriate. The FDIC coordinates\n                  the imposition of CMPs for apparent violations of BSA regulations\n                  with FinCEN.\nCustomer          Federal regulations require financial institutions to develop and\nIdentification    implement a written, board-approved Customer Identification\nProgram           Program, appropriate for its size and type of business. Such\n                  programs must include, at a minimum, procedures for verifying a\n                  customer\xe2\x80\x99s true identity to the extent reasonable and practicable and\n                  defining the methodologies to be used in the verification process;\n                  collecting specific identifying information from each customer when\n                  opening an account; responding to circumstances and defining\n                  actions to be taken when a customer\xe2\x80\x99s true identity cannot be\n                  appropriately verified with \xe2\x80\x9creasonable belief\xe2\x80\x9d; maintaining\n                  appropriate records during the collection and verification of a\n                  customer\xe2\x80\x99s identity; verifying a customer\xe2\x80\x99s name against specified\n                  terrorist lists; and providing customers with adequate notice that the\n                  bank is requesting identification to verify their identities.\nDeficiency        In the context of a BSA examination, a deficiency is a weakness in a\n                  financial institution\xe2\x80\x99s BSA Compliance Program. Deficiencies\n                  should be communicated to the institution via a written\n                  communication, such as a report of examination, visitation report, or\n                  other correspondence.\nEnhanced Due      Enhanced due diligence is a review performed for higher-risk\nDiligence         customers of a financial institution. Such reviews are especially\n                  critical in understanding higher-risk customer\xe2\x80\x99s anticipated\n                  transactions and implementing a suspicious activity monitoring\n                  system that reduces the bank\xe2\x80\x99s reputation, compliance, and\n                  transaction risks. Higher-risk customers and their transactions\n                  should be reviewed more closely at account opening and more\n                  frequently throughout the term of their relationship with the bank.\n\n\n                                         19\n\x0c                                                                            Appendix 2\n\n\n                           Glossary of Terms\nFinancial Crimes   A bureau within the Treasury established to safeguard the financial\nEnforcement        system from illicit use and combat money laundering and promote\nNetwork            national security through the collection, analysis, and dissemination\n(FinCEN)           of financial intelligence and strategic use of financial authorities.\n                   FinCEN carries out its mission by receiving and maintaining\n                   financial transactions data, analyzing and disseminating that data for\n                   law enforcement purposes, and building global cooperation with\n                   counterpart organizations in other countries and with international\n                   bodies. The Director of FinCEN has delegated authority to\n                   implement, administer, and enforce compliance with the BSA and\n                   associated regulations. FinCEN relies on the federal banking\n                   agencies to examine the financial institutions they supervise for\n                   compliance with the BSA and coordinates with these agencies on\n                   CMPs and criminal matters.\nMemorandum of      An informal agreement between an institution and the FDIC\nUnderstanding      intended to address and correct identified weaknesses at a financial\n(MOU)              institution. State banking authorities may also be parties to MOUs.\n                   The FDIC often uses MOUs instead of BBRs, especially when there\n                   is reason to believe that the deficiencies need a more structured\n                   program or specific terms to effect corrective action.\nReferrals          Financial institutions that are determined to be substantially\n                   noncompliant with the BSA are considered for referral to FinCEN\n                   for the issuance of CMPs. In general, referrals are considered when\n                   the types and nature of apparent violations of the BSA expose the\n                   institution to a heightened level of risk for potential money\n                   laundering activity, demonstrate a willful or flagrant disregard of the\n                   requirements of the BSA, or result from a nonexistent or seriously\n                   deficient BSA Compliance Program. Referrals to FinCEN do not\n                   preclude the FDIC from exercising its authority to take supervisory\n                   action against an institution when apparent violations of BSA\n                   regulations are identified.\nVirtual            An FDIC information system that provides access to a broad range\nSupervisory        of information related to insured financial institutions in support of\nInformation on     the Corporation\xe2\x80\x99s insurance and supervision programs. RMS\nthe Net            personnel use the system to perform supervisory-related functions,\n(ViSION)           such as tracking applications, accessing examination information,\n                   and monitoring enforcement actions. Analysts in the Division of\n                   Insurance and Research also rely on information in ViSION to\n                   perform insurance-related functions, such as analyzing trends in the\n                   banking industry and calculating deposit insurance assessment rates\n                   for financial institutions.\n\n\n\n\n                                          20\n\x0c                                                                     Appendix 3\n\n\n                Acronyms and Abbreviations\n\nAcronym/Abbreviation: Explanation:\nBBR                   Bank Board Resolution\nBSA/AML               Bank Secrecy Act and Anti-Money Laundering\nC&D                   Cease and Desist Order\nCMP                   Civil Money Penalty\nCFR                   Code of Federal Regulations\nDOJ                   Department of Justice\nFDI Act               Federal Deposit Insurance Act\nFDIC                  Federal Deposit Insurance Corporation\nFFIEC                 Federal Financial Institutions Examination Council\nFinCEN                Financial Crimes Enforcement Network\nMOU                   Memorandum of Understanding\nRMS                   Division of Risk Management Supervision\nThe Treasury          Department of the Treasury\nViSION                Virtual Supervisory Information on the Net\n\n\n\n\n                                     21\n\x0c                       Appendix 4\n\n\nCorporation Comments\n\n\n\n\n         22\n\x0c                       Appendix 4\n\n\nCorporation Comments\n\n\n\n\n         23\n\x0c                                                                                              Appendix 5\n\n\n      Summary of the Corporation\xe2\x80\x99s Corrective Actions\nThis table presents corrective actions taken or planned by the Corporation in response to\nthe recommendations in the report and the status of the recommendations as of the date of\nreport issuance.\n\n\n    Rec.     Corrective Action:                  Expected         Monetary        Resolved:a       Open or\n    No.      Taken or Planned                   Completion        Benefits        Yes or No        Closedb\n                                                   Date\n\n      1      RMS will review and update,         12/31/2014          N/A              Yes            Open\n             as appropriate, Regional\n             Office practices for ensuring\n             compliance with BSA/AML\n             enforcement guidance.\n      2      RMS will review and                 12/31/2014          N/A              Yes            Open\n             modify, as appropriate,\n             policy and practices for\n             recording the status and\n             disposition of CMP referrals\n             to FinCEN. RMS will also\n             request updates from\n             FinCEN regarding the status\n             of FinCEN\xe2\x80\x99s enforcement\n             cases in order to update\n             FDIC records.\n      3      RMS will review and update,         12/31/2014          N/A              Yes            Open\n             as appropriate, Regional\n             Office procedures for\n             monitoring financial\n             institutions with significant\n             BSA/AML problems to\n             promote consistency.\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\n                   corrective action is consistent with the recommendation.\n              (2) Management does not concur with the recommendation, but alternative action meets the intent\n                   of the recommendation.\n              (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount.\n                   Monetary benefits are considered resolved as long as management provides an amount.\nb\n  Recommendations will be closed when (a) Corporate Management Control notifies the OIG that corrective\nactions are complete or (b) in the case of recommendations that the OIG determines to be particularly\nsignificant, when the OIG confirms that corrective actions have been completed and are responsive.\n\n\n\n\n                                                       24\n\x0c'